Security Response Headers Question

[Carl Waldbieser]

In CAS 6.4.x, I believe that the security response headers are enabled by default.  I.e.:

cas.http-web-request.header.enabled=true

If I browse to one of our CAS endpoints (e.g. /cas/login), I see the Strict Transport Security response header.

However, if I browse to an invalid endpoint, e.g. /, I don't see the Strict Transport Security response header.  This gets flagged in security scans.

I have a 2 part question.  Is this really a security issue?  An end user doesn't typically browse to a CAS resource on their own, so it seems like maybe not having the invalid resources protected is OK, since the user will likely be first introduced to CAS on a valid resource and the browser will remember the header setting for the site.

If this *is* an issue, is there a way to configure CAS to just apply the security response headers to *all* resources that it serves up?

Thanks,

Carl Waldbieser

ITS

Lafayette College

[Misagh]

> If I browse to one of our CAS endpoints (e.g. /cas/login), I see the Strict Transport Security response header.
> However, if I browse to an invalid endpoint, e.g. /, I don't see the Strict Transport Security response header. This gets flagged in security scans.

Headers are inserted into resources that CAS can control and those
that are mapped to components internally to respond. Invalid resources
will never reach CAS for it to do anything with it, specially those
that outside the app context (i.e. anything outside of /cas typically)

> I have a 2 part question. Is this really a security issue?

No.

> If this *is* an issue, is there a way to configure CAS to just apply the security response headers to *all* resources that it serves up?

You'll have to do it outside CAS, via something that can in fact
respond to invalid resources. Like an external servlet container or a
reverse proxy.